Commit ac73c68e authored by Rainer Jung's avatar Rainer Jung
Browse files

Support for OpenSSL 1.1.0: 

- use new API SSL_CTX_set_max_proto_version()
  and SSL_CTX_set_min_proto_version() instead
  of SSL_CTX_set_options()
- use new methods TLS_client_method() and
  TLS_server_method()

Partial backport of r1735882 from trunk.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755849 13f79535-47bb-0310-9956-ffa450edef68
parent 8708252f

modules/ssl/ssl_engine_init.c

+47 −0
Original line number Diff line number Diff line
@@ -481,6 +481,9 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, 
    char *cp;

    int protocol = mctx->protocol;

    SSLSrvConfigRec *sc = mySrvConfig(s);

#if OPENSSL_VERSION_NUMBER >= 0x10100000L

    int prot;

#endif



    /*

     *  Create the new per-server SSL context
@@ -506,6 +509,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, 
    ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,

                 "Creating new SSL context (protocols: %s)", cp);



#if OPENSSL_VERSION_NUMBER < 0x10100000L

#ifndef OPENSSL_NO_SSL3

    if (protocol == SSL_PROTOCOL_SSLV3) {

        method = mctx->pkp ?
@@ -536,12 +540,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, 
            SSLv23_client_method() : /* proxy */

            SSLv23_server_method();  /* server */

    }

#else

    method = mctx->pkp ?

        TLS_client_method() : /* proxy */

        TLS_server_method();  /* server */

#endif

    ctx = SSL_CTX_new(method);



    mctx->ssl_ctx = ctx;



    SSL_CTX_set_options(ctx, SSL_OP_ALL);



#if OPENSSL_VERSION_NUMBER < 0x10100000L

    /* always disable SSLv2, as per RFC 6176 */

    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
@@ -565,6 +575,43 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, 
    }

#endif



#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */

    /* We first determine the maximum protocol version we should provide */

    if (protocol & SSL_PROTOCOL_TLSV1_2) {

        prot = TLS1_2_VERSION;

    } else if (protocol & SSL_PROTOCOL_TLSV1_1) {

        prot = TLS1_1_VERSION;

    } else if (protocol & SSL_PROTOCOL_TLSV1) {

        prot = TLS1_VERSION;

#ifndef OPENSSL_NO_SSL3

    } else if (protocol & SSL_PROTOCOL_SSLV3) {

        prot = SSL3_VERSION;

#endif

    } else {

        SSL_CTX_free(ctx);

        mctx->ssl_ctx = NULL;

        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()

                "No SSL protocols available [hint: SSLProtocol]");

        return ssl_die(s);

    }

    SSL_CTX_set_max_proto_version(ctx, prot);



    /* Next we scan for the minimal protocol version we should provide,

     * but we do not allow holes between max and min */

    if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {

        prot = TLS1_1_VERSION;

    }

    if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) {

        prot = TLS1_VERSION;

    }

#ifndef OPENSSL_NO_SSL3

    if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) {

        prot = SSL3_VERSION;

    }

#endif

    SSL_CTX_set_min_proto_version(ctx, prot);

#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */



#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

    if (sc->cipher_server_pref == TRUE) {

        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);